Industrial control systems security needs more work

Federal agencies and industries that use industrial control systems must avoid applying standard information security measures to secure such systems, an engineering expert advised members of the federal Information Security and Privacy Advisory Board, which met Sept. 13.

Keith Stouffer, a mechanical engineer at the National Institute of Standards and Technology’s Intelligent Systems Division, said standard antivirus protection and encryption technologies applied to industrial control systems could shut them down and, in some cases, create a public safety hazard.

Industrial control systems are typically field devices known as programmable logic controllers. “They’re basically stripped down PCs,” Stouffer said. They can’t handle cryptographic functions, such as authentication and encryption, which makes them vulnerable, he added.

Newer industrial control systems are built with Microsoft Windows operating systems and IP protocols “because they’re cheaper and easier to use,” Stouffer said. But by replacing systems built with specialized proprietary software and protocols, government and commercial industries have made their industrial control systems vulnerable to cyberattacks.

“That transition happened without thinking about security,” Stouffer said. “Now we’re having to fix what we asked for.”

Work is under way to develop security configurations for industrial control systems, he added.

Stouffer said many industry executives are unaware of cybersecurity vulnerabilities in their factories and critical infrastructures. “A lot of the higher-ups don’t know they have modems connected to the Internet,” he said. Cyberattackers can use tools called war dialers to find modems connected to industrial control systems.

The nuclear industry is probably safer than most, added Bruce Brody, the Energy Department’s associate chief information officer of cybersecurity and a member of the security advisory board. The nuclear industry still relies on proprietary protocols, so the security threat is not as great, he said.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.